[ntp:questions] Very rapid polling

Richard B. Gilbert rgilbert88 at comcast.net
Wed Feb 11 04:38:07 UTC 2009


Danny Mayer wrote:
> Eric wrote:
>> On Mon, 9 Feb 2009 14:07:26 -0800 (PST), jlevine <jlevine at boulder.nist.gov>
>> wrote for the entire planet to see:
>>
>>> In the last few days I have seen an increasing number of systems that
>>> are requesting the time in NTP format several times per second. 
>> Have you considered the possibility that they are spoofed queries from a
>> botnet?  There are some records of which IPs are the current/past targets.
>>
>> There have been a number of recent DDoS attacks using spoofed UDP packets.
>> The usual attack uses port 53 (DNS) and attempts to get 'amplification' of
>> a small query into a large response towards the victim IP.  NTP packets are
>> the same size both ways, but might still be used to help with a flood.
>>
>> The only mitigation I can think of here is for NTP to not respond to
>> excessive rate queries at all, or very infrequently, after the KOD.
>>
>> - Eric
> 
> That's what the latest code does.
> 
> Danny

If ntpd responds to such DOS attacks with the WRONG YEAR or random 
date-times, it might discourage the perpetrators.




More information about the questions mailing list